UMA telecon 2021-10-21

Date and Time

Agenda

Minutes

Roll call

Approve minutes

Deferred



IIW closing thoughts

(see initial thoughts from last weeks minutes)


FHIR Vulnerability Review

and how UMA could address, maybe a 1-2 page position

https://www.scmagazine.com/analysis/application-security/critical-flaws-found-in-interoperability-backbone-fhir-apis-vulnerable-to-abuse

https://www.healthcareitnews.com/news/cybersecurity-briefs-olympus-it-outage-fhir-vulnerabilities-and-more

Summary of articles: a white-hat security company (https://approov.io/) have looked at some health care mobile applications that access FHIR apis. Patients were authenticating against the API/EHR, however the applications were able to access all FHIR data regardless of the authenticated user. There were also issues raised around static client credentials embedded in the mobile applications (public SMART on FHIR app using confidential client creds?)

want to avoid a 'shut down access' reactive response


Potential Outline:


application of provider authZ setup to patient access

difference of patient/*.* (what they should've done) and user/*.* (what they did)


Patient empowerment group (hl7 group) is meeting and the article writer is presenting these findings.


Let's use confluence, Alec will create a page and move these notes over then share the link on the mailing list


AOB




Conference roundup

In person is coming back!


Topic Candidates (from previous week's telcon)


Attendees

As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)

Voting:

  1. Eve
  2. Alec
  3. Domenico

Non-voting participants:

  1. Scott G, working with Healthcare team at Forgerock
  2. Nancy
  3. Vladimir
  4. Scott 

Regrets:

  1. Steve